IPComp is enabled with the following
sysctl(2) variable in
/etc/sysctl.conf:

net.inet.ipcomp.enable

IPComp is a protocol used to reduce the size of IP datagrams. It can be used to
enhance the communication performance between a pair of hosts/gateways,
especially on slow links, by compressing the datagrams, provided the
communicating entities have enough computational power.

This protocol is especially useful when encryption or authentication is applied
to IP datagrams using the IPsec protocol (see
ipsec(4) for more information
about IPsec). Encrypting information is increasing its entropy to a point
where compression to a lower layer becomes completely useless (e.g., the PPP
Compression Control Protocol). IPcomp is applied at the network layer before
other encryption operations are applied (except encryption protocols applied
at a higher layer such as ssh(1) or
ssl(8)).

Just like for the other IPsec protocols, IPComp needs some parameters for each
connection, specifying how the compression should be done between the
entities. The parameters are collected in a structure called an IPComp
Association (IPCA). The parameters stored in an IPCA are the destination
address and the Compression Parameter Index (CPI). An IPCA is the pendant of
the SA (Security Association) for IPsec.

Currently, IPCA can be created using the
ipsecctl(8) tool. Using
ipsecctl(8) it is also
possible to create IPComp flows and SA/IPCA bundles. Such a bundle is used to
create a combination of IPsec and IPComp flows (thus enabling compression in
an IPsec protocol).

The compression is done on the data following the IP header and an IPComp header
is inserted between the compressed data and the IP header. In the case of
IPv6, there are extension headers which cannot be compressed since they are
modified by the router along the way to the destination. These extension
headers are hop-by-hop, routing, and fragmentation.

When doing compression, it is possible that the uncompressed data is smaller in
size than the compressed data. To avoid this behaviour, a non expansion policy
is used in IPComp. If the data payload is smaller than a given threshold, it
will not be compressed. No IPComp header will be inserted.

IPComp uses the same policy framework as IPsec. However unlike IPsec, only one
policy is available for IPComp:

IPSEC_LEVEL_USE

Use IPComp for sending packets but still accept packets
which are not compressed.